Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

New Brazilian Banking Trojan Uses Windows PowerShell Utility

Microsoft’s PowerShell utility is being used as part of a new banking Trojan targeting Brazilians. Researchers made the discovery earlier this week and say the high quality of the Trojan is indicative of Brazilian malware that is growing more sophisticated.

The banking Trojan is identified as “Trojan-Proxy.PowerShell.Agent.a” and is one of the most technically advanced Brazilian malware samples discovered, said Fabio Assolini, a senior security researcher with Kaspersky Lab’s Global Research and Analysis Team in a Securelist blog on Thursday.

The banking Trojan is being delivered via a phishing campaign where emails are masquerading as a receipt from a mobile carrier. A malicious .PIF (Program Information File) attachment is used to attack the target’s PC. PIF files tell MS-DOS applications how to run in Windows environments and can contain hidden BAT, EXE or COM programs that automatically execute after the host file is run.

In the case of “Trojan-Proxy.PowerShell.Agent.a” the PIF file changes the proxy configuration in Internet Explorer to a malicious proxy server that redirects connections to phishing pages for Brazilian banks, Assolini said. Those changes in the system are made using a PowerShell script.

The browser aspect of the attack is identical to how cybercriminals have exploited proxy auto-config (PAC) files in previous attacks, Assolini said. PAC files are designed to enable browsers to automatically select which proxy server to use to get a specific URL.

“It’s the same technique used by malicious PACs that we described in 2013, but this time no PACs are used; the changes in the system are made using a PowerShell script,” Assolini wrote. Not only are Internet Explorer users affected, but also users of Firefox and Chrome.

The malware has no command and control communication. Instead, once the .PIF file is launched, the “powershell.exe” process is spawned and the command line “-ExecutionPolicy Bypass -File %TEMP%\599D.tmp\599E.ps1” is cued. This is an attempt to bypass PowerShell execution policies, Assolini said. The malware changes the file prefs.js, inserting the malicious proxy change.

After being infected by “Trojan-Proxy.PowerShell.Agent.a”, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server. The proxy domains used in the attack use dynamic DNS services and their goal is to redirect all traffic to a server located in the Netherlands, where there are several phishing pages for Brazilian banks, according to Assolini.

According to Kaspersky Lab, Brazil was the most infected country when it comes to banking Trojans in Q1 2016.

“Attackers (developing Brazilian malware) are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection,” notes a Securelist post from March. That stands in stark contrast to Brazilian malware that not long ago was described as simple and easy to detect.

Researchers believe Brazilian cybercriminals have upped their game by adopting new techniques as a result of collaboration with their European counterparts.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.